Sunday, January 2, 2011

Gmail Account Security Breach - zorpia spam

Recevied zorpia.com spam
My son and I had an interesting security breach this morning with regards to zorpia.com. We detected this when all of his gmail contacts were spammed with email from "invitation at zorpia.com" on his behalf. All of his contacts were spammed multiple times with the same email that was essentially trying to get the recipient to click on links that pointed towards zorpia.com. Let me explain how the events transpired:

OpenDNS
Since my son is blocked from zorpia.com via OpenDNS I knew he did not have an account there. We discussed the issue and quickly realized some account of his was breached. At this point, all we knew was the zorpia spam was sent to me and my wife. Shortly thereafter, my son received a forwarded zorpia email from his grandfather asking about it.

zorpia.com email getting sent to his gmail contacts
At this point, we knew for sure it was something to do with his gmail account. Since his password was "tight" at 9+ characters including punctuation characters, it was hard to believe someone cracked his password. Especially since it was used no where else. I asked him if had recently used a friend's computer to access his gmail account and he had not. He did mention he brought his Mac over to his friend's house and they ran an "open" wifi network (shame on them). Since my son has a Mac, the open wifi did not raise immediate concerns. I have has Mac buttoned up with ssh key authorization only. We then ran a Norton scan on his Mac and it was clean. His USB sticks were also scanned and were clean. Home network scans on all home computers were also clean.

Firewall Check
My home network firewall (FreeBSD/IPFilter) is fully logged and very tight. I ran some reports on the logs and nothing jumped out at me. I actually put all log entries into mysql making searching through firewall data very easy.

Gmail Account Access Details
Lastly, I asked him to look at his bottom of his gmail page and look at what IP addresses were used to access his account. I have a static IP address at home so there should really just be my public IP address listed since his Mac rarely leaves our house. To our shock, the IP addresses were coming from several addresses. I ran a few "whois" and most IP addresses pointed to the amazon clouds. However, some where starting to show up from Japan in near real time.

Gmail Account Breached for Sure
Obviously, at this point we knew his gmail account was breached. We changed his password to a nice 13 character password with the standard upper/lower case letters, numbers, and punctuation. Fortunately, gmail provides a way to sign out all other sessions (thank you google!). At this point, the breach was closed.

Notification
Lastly, we monitored the IP addresses his gmail account was accessed from and it continued to just remain from my public IP. We emailed his gmail contacts about the issue warning them not to click on any zorpia emails from him.

Password Policies
This should remind all of us to:

Use passwords that contain upper/lower case letters, numbers, and punctuation.

I require my family to use fully random characters that do not spell anything.

Length of passwords, at least in my opinion, should be 14 characters long for all financial institutions.

Passwords can be shorter for sites with less security concerns, online forum perhaps.

Never use the same password anywhere.

Use some secure method to record your passwords. There are several online services to help you manage them. Some services use 3 way authentication which is what I require for my family.

Change passwords regularly which is easier to do using one of the online services.

In closing, it would be nice to think that the Internet is friendly and useful place and it certainly is. However, security should always be a concern. Hacking techniques constantly evolve and one needs to stay up to date on their computer/network security infrastructure.

The Zorpia Team supported me superbly investigating this incident. I cannot thank them enough.

Upon complete investigation, the incident had nothing to do with Zorpia spam nor did Zorpia have anything to do with the gmail account breach. It was purely an incident of the lack of proper parental controls on a child's computer.

As it turned out, OpenDNS was not blocking zorpia.com in my configuration and the Zorpia account was genuinely created from my public IP. Furthermore, the (Zorpia) user knowingly sent out Zorpia invitations from this gmail account.

We do know, that the gmail account was breached and this was likely due to the lack of proper password management but I cannot be certain.

Unfortunately, I did not have enough firewall logging to determine what PC accessed zorpia.com on my home network. An issue that is now corrected.

This is a good lesson of learn all the facts before posting information. My apologies Zorpia.

It is a spam website. I have received numerous emails from them and never signed up with them, but somehow they got my information. I have reported their emails as spam and still continue to get spam from them. I reported them to their domain provider today, which is GoDaddy.com. If they cannot fix the issue I plan on starting a class action lawsuit against them. Doing a simple Google search for "Zorpia spam" will show that many people are dealing with unsolicited spam from this website. Just wondering if you had any suggestions as to how I can compile a list of other victims so that I can let them know about my actions and get as many people involved in this potential lawsuit so that we can get them shut down for good. Thanks.

Zorpia lied to you. They "supported" your investigation by feeding you false information about what they do.Spammers can concoct some very convincing "but it wasn't us" scenarios, and sites like Zorpia probably do that every day so they can get really good at it.

The GMail breach was probably an OAuth enabled access (no password required); you need to check all affected Google accounts for enabled apps, and revoke access to the Zorpia one and/or any that you don't know and trust.

Zorpia is bad. I'm not sure what they get out of it, but they ask people to click on a link for a "secret message" - and that authorizes Zorpia to send spam to the entire address book of the unsuspecting user.

I have six acquaintances so far who have accidentally invited me - and the invites keep coming.

"MyContactsAlias" left you a private message. Click on the button below to view it:

There's button that says [View private message]

When you click the button you are prompted to login with your google account. I wonder if I was only prompted because I have 2 accounts and I was prompted to select one of the 2. I'm thinking maybe it does not even prompt you if you only have one account.

"A third party service is requesting permission to access your Google Account.

In order to authorize a third party service to access your account, you must sign in. "

Google needs to add another layer of confirmation before a site access your contacts.

I had a row with my girlfriend about her zorpia profile. After calming down and analysing the situation, we noticed that her facebook details were automatically harvested. Her photo and details were on the zorpia website and she received dozens of emails each week. She never allowed for photos to be taken like this and more disturbingly, the zorpia app on facebook propagates like a virus going through the friends network. If the facebook app platform is set to ON, your information gets used. When switched off, zorpia does not take the information. Zorpia is doing using this to then activate the zorpia account so that it looks like my girlfriend was frequently on the site. Basically, zorpia makes lots of fictitious accounts by leeching on existing social networks, such as facebook and goolge+. After that it keeps the site looking alive by periodically activating the profiles to seem to have an active user base. My girlfriend got the same "I added you.." email from one of her happily married friend who had no idea that her details were used on a website to attract men. All this happened in September 2013. Finally, and of the greatest importance, instead of logging into the account using one the provided links (using existing facebook or google account), you can also just type in your email account (unclick the remember my details) and type your email password! Yes, zorpia also harvested the email username that was attached to facebook and the corresponding password of the email address (not necessarily the facebook password). This is an entire breach of privacy and the site is not a bona fide website, but instead uses social network sites to create a large "user base" to then get revenue from advertisers.